I propose that the DAO create a Security workstream. This workstream would be available to host security-related proposals generally, and would have the following specific responsibilities:
- Providing architecture and code review from an attacker mindset
- Auditing smart contract code, both internal and that of potential partners
- Advising on appropriate standards for the protection of sensitive information
- Verifying sensitive processes to assure no hanky-panky is involved (i.e. airdrop eligibility lists)
- Sponsoring active penetration tests
- Coordinating vulnerability disclosures and incident response
- Helping protect Foxes against cyberattacks and scams
- Championing secure coding practices and a high standard of code quality
In addition, as ShapeShift US winds down, its Responsible Disclosure Program will be going with it; the Security workstream will have the responsibility of designing a proposal for the DAO’s own bug bounty program going forward.
No funding is requested at this stage; going forward, individual proposals will be brought at a later stage to fund specific initiatives, including any personnel requirements, and containing performance standards as applicable.
(For context, ShapeShift US’s Security department operates on a budget in the 5-figure-per-month range. I anticipate that the DAO’s Security workstream will likely have somewhat less in the way of systems expenses and somewhat more in the way of people expenses, but hopefully this is useful at least as a ballpark figure so that voters know what they’re getting into.)
I’m a Software Security Engineer in the current ShapeShift US Security department, and in light of the positive feedback received here, I’d like to volunteer to be the initial workstream leader.
It’s important that this workstream have a group of knowledgeable security engineers that the community trusts to coordinate sensitive tasks effectively, and a degree of continuity with the existing centralized infrastructure should help enable that trust. And while I can’t speak directly for my Security colleagues, I do believe that several of them will be joining us on this exciting but uncertain decentralized voyage, and I expect that they may also find their natural place in this workstream.
I’ll be leaving ShapeShift US’s employment at the end of the year. While I’m still on their payroll, I don’t intend to ask to be compensated for this role; afterwards, however, I do anticipate it being a paid position. (For the avoidance of doubt, I do also hope to make paid contributions to other workstreams as opportunities presents themselves.)